[cli] bootstrap with Permissions Boundary #9256
Assignees
Labels
effort/medium
Medium work item – several days of effort
feature-request
A feature should be added or improved.
p2
package/tools
Related to AWS CDK Tools or CLI
Comments
roskelleycj
added
guidance
SomayaB
changed the title
njlynch
added
package/tools
njlynch
changed the title
|
This is a general feature request for the CLI, I believe. Motivated by, but not specific to, pipelines. |
|
It is. And the requests with tweaks to the bootstrapping stack are endless. I've heard 2 already in this week alone, each of them "just one more flag" to add. We should add CLI parameters to dump the template to stdout and to use the template from a given file, and then tell people to do their org-specific customizations that way. Otherwise there will be no end to this and we'll end up with a 100-flag monstrosity. |
rix0rrr
added
@aws-cdk/pipelines
2 tasks
mergify bot
pushed a commit
that referenced
this issue
Aug 31, 2020
There are many requests for customization of the built-in bootstrapping template. Rather than implementing each and every request, it's more productive to allow users to help themselves. This change introduces two new flags to `cdk bootstrap`: * `cdk bootstrap --show-template`: prints the current template to stdout, which people can pipe to a file. * `cdk bootstrap --template FILE`: reads the template from a file instead of using the built-in template. This can be used to arbitrarily customize the bootstrapping template for use in any organization. I know that the documentation changes in this PR are pretty light, but really a Developer Guide topic should be written on bootstrapping, which is next on my TODO list. Resolves #9256, resolves #8724, resolves #3684, resolves #1528, necessary for #9681. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
❓ General Issue
The Question
Trying to use the new developer preview for cdk-pipelines I needed to run the bootstrap process again. Tutorial steps here. When I ran the process it failed with IAM CreateRole errors. It took some amount of digging to find that the root cause is related to the use of Boundary Permissions. The new bootstrap cloudformation template creates 4 IAM Roles, all of which need a PermissionsBoundary property to be set. Obviously, this is account specific. As my ORG does not allow just random role creation, but will allow the role creation if the PermissionsBoundary is configured properly.
So is it possible to have an option like
--cloudformation-execution-policies <policy>wherein the PermissionsBoundary is provided and subsequently applied to roles being created in the bootstrap?Please note that this is in the context of the bootstrap. However, this question quickly applies to any CDK app. How can one configure as an aspect for a CDK App that all roles be generated with the provided PermissionsBoundary?
Environment
The text was updated successfully, but these errors were encountered: